Biometric Skimmers Pose Emerging Threat To ATMs

Even as financial institutions move to shore up ATM security with biometric mechanisms, cybercrooks are busy figuring out ways to beat them.

Biometric identifiers like fingerprints, palm veins, voice, and the iris have long been considered as offering the most secure way to authenticate an individual’s identity. But that may be changing.

Security firm Kaspersky Lab recently investigated how cybercriminals might be planning to defeat new biometric authentication measures that some banks are considering for use in Automated Teller Machines (ATMs). The investigation showed that while banks are bullish on biometric-based technologies, cybercriminals actually are viewing it as yet another opportunity for carrying out attacks against ATMs.

In an report this week, researchers at Kaspersky Lab said they discovered at least 12 underground sellers offering skimming devices capable of stealing fingerprints from ATMs enabled with fingerprint scanners.

The devices apparently act just like regular skimmers do in stealing payment card data. They are designed to connect physically to a target ATM and to steal fingerprint data that users may be required to input while authenticating their identity with the device. The stolen data can then be used to authorize other fraudulent transactions, the researchers say.

Available evidence suggests that the first wave of biometric skimmer machines, which surfaced last September, were buggy and had to contend with multiple issues during initial tests in the European Union. The biggest hurdle apparently was the fact the GSM modules that the underground sellers used in their skimmers for transferring stolen biometric data, and were too slow to handle large data loads.

But biometric skimming devices with faster data transfer technologies are only a short distance away, the Kaspersky Lab researchers say.

Fingerprint skimmers are apparently not the only devices that the cyberground is preparing to thwart any biometric multi-factor authentication mechanisms that might be incorporated into ATMs over the next several years.

According to the Kaspersky Lab report, at least three criminal outfits have begun testing ATM skimmers designed to steal data from iris recognition and palm vein readers as well.

The concerns do not stop there. Kaspersky researchers also came across chatter in the dark Web and underground communities about new applications being developed to fool facial recognition systems on ATMs. Much of the talk has involved the use of mobile applications capable of taking an individual’s photo and using it to somehow fool a facial recognition system.

The report describes several other potential avenues that criminals could take to overcome biometric authentication devices in ATMs. They include black-box attacks involving the use of malicious devices connected to the cash dispenser or card reader, as well as attacks on NFC-enabled readers of biometric data.

Kaspersky Lab did not have anyone immediately available to comment on its research. But in a statement announcing the results of its investigation, Kaspersky Lab security expert Olga Kochetova said the new data highlights the need for strong controls over biometric data.

"The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," Kochetova said. "Thus, if your data is compromised once, it won’t be safe to use that authentication method again."

Interest in biometric technologies for ATMs has grown in recent years amid increasing concerns about the vulnerability of traditional PIN-based authentication mechanisms to "jackpotting" and other malicious attacks. There have been multiple reports this year of big ATM heists including one involving the theft of nearly $3 millioni from 41 bank ATMs in Taiwan and another involving the theft of $13 million from ATMs at about 1,400, 7-Eleven stories in Japan.

While the Kaspersky Lab report touches on several biometric authenticators for ATMs, most of the early interest within the financial community appears to be focused largely on fingerprint biometrics.

Currently, there are five ways in which biometric authentication is being used at ATM terminals, according to the banking industry body BAI. One approach has been to use fingerprints as a replacement for PINs at ATMs. A growing number of financial institutions have also begun using fingerprint authentication for mobile payments and banking applications for multi-transaction sessions and to authenticate to new applications.

Some are also looking to incorporate a user’s fingerprint biometric directly on the card itself or mobile device as a form of secure authentication, the BAI has noted previously.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

It's really worrying that so many people are so tragically misinformed. Biometrics should not be activated where you need to be security-conscious.

It is known that the authentication by biometrics comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.

Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.